Washington, DC - Hackers are using compromised code signing certificates to sign malware. This, in turn, tricks antivirus programs into thinking the malware has come from a trusted source. The antivirus program doesn’t flag the software as being untrusted or malicious, a user downloads it and suddenly their computer is infected.

It’s a brilliant play – and a dangerous one, too.

What is a Code Signing certificate?

A code signing certificate is a digital certificate that lets an individual developer or an organization digitally sign a script or executable. This digital signature serves two purposes. First of all, it lets end users verify the identity of the publisher. Secondly, it allows the end user to verify that the software comes as intended – that it hasn’t been tampered with.

Web filters like Google Safe Browsing and Microsoft SmartScreen, as well as antivirus programs require software be signed or else they flag the downloads as untrusted and potentially unsafe. This warning is enough to dissuade most end users.

What happens when a code signing certificate is compromised?

When a code signing certificate is compromised, it can be used to sign malicious software like malware and fool antivirus programs. Because the digital signature of a trusted publisher is present, the programs believe the software must be trustworthy as well. Thus, no warning is issued and the end user winds up downloading malware.

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg. “Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service… This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild.”

In some cases, the malware creators didn’t even need to possess a code signing certificate. Simply copying a digital signature (or Authenticode signature) to the software was enough to trick the antivirus programs by creating an invalid signature.

A study by the Cyber Security Research Institute and Venafi recently found code signing certificates for sale on the dark web around $1200.

“Our research proves that code signing certificates are lucrative targets for cyber criminals,” said Kevin Bocek, chief security strategist for Venafi. “With stolen code signing certificates, it’s nearly impossible for organizations to detect malicious software. In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants. All of this is fuelling the demand for stolen code signing certificates.”

What can be done to fix this?

This problem needs to be dealt with on several levels. For starters, CAs need to tighten up their validation practices to avoid issuing code signing certificates to entities that don’t develop software. A trusted CA should be able to tell very quickly whether something seems fishy about the company applying for the certificate if they’re, say, a Korean delivery service – as was the example given earlier.

Additionally, antivirus companies need to tighten up as well. Specifically, an invalid signature should be treated as if there’s no signature. The fact a misapplied signature is enough to trick these programs into not warning users before a download is appalling.

And finally, for the companies having their certificate compromised, it frankly comes down to better key management in a lot of cases. If you lose that private key, your certificate is worthless. One answer is to store your key on a physical hardware token – not on your network. This makes stealing the private key a lot harder because it has to be physically taken. That’s a huge advantage in this situation. Alternatively, you could invest in an Extended Validation code signing certificate. It requires more extensive vetting on behalf of the issuing CA and its private key is also delivered on a physical hardware token.